Posts

Android | Web View & Android Debuggable

Image
Web View Web View is used to render HTML codes in the Android view application. A WebView is a component in Android that lets you display web pages inside an app . Think of it like: A mini browser embedded inside your Android app. SetJavaScriptEnabled("True")  ==> Vulnerable for XSS Attack. Android Debuggable If an Android app isn’t marked as debuggable, its internal data—such as shared preferences, databases, cache, and other private files—cannot be accessed. Hardcoded Vulnerability Reversing Weak Cryptography Deprecated Algorithm
Post a Comment
Read more

Android - Activity | Content Provider | Broadcast & Receiver | Services

Image
 Activity & Services using ADB Shell:  Using Drozer - Exploit the Content Providers  Exploit SharedPreference using adb shell SQLite Databases using ADB Local Storage using ADB DROZER Content Provider by using Drozer Broadcast and Receiver
Post a Comment
Read more

CVSS Calculator Full Explanation

Image
  Exploitability Metrics Attack Vector(AV) Network (N) – The attacker can exploit the vulnerability remotely over the internet . (Highest Severity) Example: Exploiting a web server via a crafted HTTP request. Adjacent Network (A) – The attacker must be on the same local network segment . (High Severity) Example: Attacking a router using vulnerabilities available only on the same Wi-Fi network. Local: Needs access to the operating system , not the device. (Medium Severity) Example: Running a malicious program after login. Physical: Needs hands-on access to the device.   (Lowest Severity) Example: Plugging in a malicious USB.  Attack Complexity: Scanerio: We have one network environment that is easily exploitable. Hence, the attack complexity is chosen to be LOW . Scenario 2: We have one network environment that is hard to exploit. Hence, the attack complexity is chosen to HIGH . 🔐 Privilege Required (PR) Levels 1️⃣ PR: None (N) Attacker needs no login or a...
Post a Comment
Read more

API - Vuln BAnk

Image
1.  Weak Credential Management vulnerability http://172.19.0.3:5000/dashboard Credential: admin:admin123 2. Sensitive Information Disclosure 3. SQL Injection Payload : ' OR 1=1 -- 4. JWT Weak Implementation Missing Input Validation in Loan Request Verify the input field length validation: Input : -5000 Input: 999999999999999999 Input: 0 The above input values are should not be allow to use in the application.
Post a Comment
Read more

API - SSRF

Image
 Server Side Request Forgery (SSRF) App - 2
Post a Comment
Read more

API - Excessive Data Exposures

Image
Excessive Data Exposures: Disclose the sensitive information in the endpoints such as Email ID, Contact numbers and etc.
Post a Comment
Read more

API - Mass Assignment

Image
  What is Mass Assignment? (Easy Explanation) Mass assignment happens when an API automatically takes all the data sent by the user and assigns it directly to a database model without filtering which fields are allowed . This becomes dangerous because a malicious user can send extra fields that they should not have control over. ❌ Why is Mass Assignment Dangerous? Because attackers can modify sensitive fields that were never meant to be changed — such as: role (e.g., make themselves admin) isActive balance isPaid password isAdmin Simple Example Bad API Code (Vulnerable to mass assignment) Imagine we have a User model: // User model fields {   name: String,   email: String,   role: String, // "user" or "admin"   isActive: Boolean } And the API endpoint: // ❌ Dangerous app.post('/users', async (req, res) => {   const user = await User.create(req.body); // ← mass assignment   res.send(user); }); Normally, a user should only set...
Post a Comment
Read more